#ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Registering 101
Some programs require Key Files for registering the product otherwise you get an evaluation trial. – https://twitter.com/ro0ted/
First thing we notice the Register Now box is grayed out. Now second thing to notice when you click import it shows the type of a file it’s looking for and the name. When you reverse engineer, you have to take every little detail in mind.
Now we know it’s looking for hpapikey.bin.
So let’s see what happens if we try to make a fake hpapikey.bin file.
Open Notepad or in my case Notepad++:
Now save the file as hpapikey.bin
Now try to use that file in the target:
It’s still grayed out right? Well enter your name:
Now you see this:
Now click “Continue Evaluating” and see if there should be anything in the About box. Click on the help Menu and choose “About Hpmbcalc” and this pops up:
We previewed it and saw what we can do and what we can’t.
Now power up Ollydbg:
Open another window in Resource Hacker:
If you go to Ollydbg and look through the references you will not find anything. So click the string module in Resource Hacker:
What are we looking for? The error we received when trying to register “The register information you have given can’t be verified”
So click view on the top>Find Text:
Search the error:
We come to this:
You see 2076? That’s the number the program uses to push the string.
Re-maximize Olly right click Search for>Constant:
Brings this tiny box up:
In signed and unsigned type the 2076 and Olly will convert the Hex automatically for you:
Press okay and we come here:
PUSH Ox81C = Push error now you know.
We do the samething we did to find the correct popup so here in Olly:
We see it’s just above the error:
Let’s try to breakpoint on 004195FC and change the flag so it doesn’t jump. When the program runs enter you info and your Keyfile and hit “Register” and Olly breaks here:
Change flag in registers and press F9:
Now click okay and go to the About Screen:
Nope still the same. Restart Olly
Set a BP Here:
Why? Because it sets the EAX.
You should come here:
If you to 00413E00 You’ll see the programs using a crypto to protect the real serial so set a BP there and right click hit assemble enter RETN and press F9 and you’ll see:
Register buttons gone and now it’s registered to me.
(Visited 671 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.